Security

Managing Data Exfiltration Risks with Open Access in Higher Ed

Universities must protect the valuable data that cybercriminals seek, but that’s easier said than done.

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Colleges and universities are prime targets for cyberattackers, mainly because they’re a goldmine of valuable data including student and staff personal information, research results and financial records. It’s no longer about trying to fend off attacks or kicking out the bad actors once they’re in. Keeping a tight lid on data leaving higher education systems, thereby preventing data exfiltration, is a key part of a solid cyberdefense strategy.

Data exfiltration has become a larger problem for IT managers everywhere with the rise of double-extortion ransomware, a twist on traditional ransomware in which attackers encrypt data on local servers and grab a copy of the data to use as further leverage against the victim institution.

Mitigating Data Exfiltration Risk for Higher Education Campus Networks

While data exfiltration is used by cyberattackers against a variety of networks, higher education is particularly vulnerable. That’s because higher education has historically had a very open approach to internet access.

Colleges and universities were some of the first places in the world to be connected to the internet, so higher ed IT managers have long considered internet access a critical part of their networking infrastructure. Internet-based communications and collaboration, research and information sharing, and experimentation and data gathering are all integral to how higher education functions. To enable maximum access for students and faculty, administrators usually have a very light touch on outbound connections from campus.

Click the banner to learn more about the benefits of a zero-trust security strategy.

To mitigate the risk of data exfiltration, IT managers must take three actions: segment and isolate networks, apply appropriate access control policies, and back up those policies with technology. In some cases, this also means challenging long-held notions regarding academic freedom and internet security and negotiating with campus stakeholders to find an acceptable level of risk.

Segmentation and Isolation Can Make Data Exfiltration More Difficult

The first step toward reducing the risk of exfiltration is to appropriately segment the network and isolate different types of network users from each other.

Start with segmentation in campus data centers, especially where each individual department has its own small data center, so that servers are identified and isolated. How far to take this is a matter of resources and application engineering. Aim to microsegment each server with an individual firewall controlling inbound and outbound traffic. Most data center managers, both in higher ed and enterprise environments, find that an iterative approach works best. Start with big chunks and increase the level of segmentation and isolation as you learn more about the application load and the tools being used.

Meanwhile, major IT vendors are taking on the issue of microsegmentation in their data center network hardware, which makes it easy to slowly increase the level of segmentation by augmenting the switches, routers, firewalls, gateways and software you already have.

Options for segmenting users

Segmentation is also important on the user side, and there are many different approaches. It’s likely that IT managers have already taken steps to segment the user side of their networks.

While smaller campuses can use physical topology to implicitly identify different network segments, most higher education IT managers will prefer to implement (or have already implemented) some type of network access control or identity-driven networking, also called identity-based networking. Though this can be taken to an extreme, IT leaders have found that mixing a central authentication or identity and access management service with virtual local area network steering usually provides enough granularity to identify and apply security policies to end users.

For the purposes of reducing the risk of data exfiltration, it makes sense to concentrate on the server side of the network. An infected on-campus user workstation might lead to lateral movement of bad actors when it connects to a server. However, higher ed has been at the forefront of implementing technologies such as NAC, which means that the most likely area to improve isolation is going to be in the data center.

Building and Enforcing Appropriate Data Security Policies

Segmentation and isolation are not goals in and of themselves. They are preliminary steps toward building policies to mitigate data exfiltration risk.

IT managers are already familiar with incoming policies, so let’s focus on outgoing policies. It’s likely that you’re blocking outbound email (Simple Message Transfer Protocol port 25/ Transport Control Protocol) except from official campus mail servers and relays. You may have been doing this since the 1990s.

For exfiltration, there are three main avenues an attacker can choose from: standardized encrypted protocols, nonstandard protocols and steganographic techniques. All are difficult to detect and block without considerable collateral damage.

Click the banner below to find out how a modern data platform can transform your university.

When an attacker uses a standard protocol, such as Hypertext Transfer Protocol Secure (HTTPS) or secure copy protocol (SCP), it’s impossible to definitively tell the difference between someone exfiltrating data and someone backing up their laptop’s hard drive. For HTTPS traffic, a common protection in enterprise environments is to enforce the use of proxies, which can then decrypt the traffic and feed it to data leak protection systems. In higher ed environments, standard DLP can be used with traditional administrative data, such as identifying financial or personal information being transferred in bulk. But IT leaders are also concerned about theft of research data or less structured information that a standard DLP may not be able to identify.

On server-side networks, restricting traffic and requiring proxies is easier because servers are more predictable in their connections, although typical “allowed” destinations, such as software update servers, can be very difficult to isolate.

DISCOVER: What is a rapid maturity assessment and how does it relate to zero trust?

A better approach with user-originated HTTPS (and Secure Shell-encrypted traffic, such as SCP) is to look at behavioral information, such as bulk counters, irrespective of encryption. Exfiltrating data usually means gigabytes and terabytes of information being sent out, since attackers want to comb through data slowly and on their own turf instead of trying to identify what is useful while they could be detected.

Most firewalls and intrusion prevention systems have the capability to identify, alert and then block large quantities of data being sent in an anomalous way. Other indicators of compromise and exfiltration (such as connections to IP addresses that are in reputation-based databases or connections, or anomalous network behavior) can be used in newer firewall and IPS products as part of prevention of data exfiltration.

Attackers prefer to use standard encrypted protocols because their traffic is lost in the noise, especially in large campus environments. However, some attackers have used nonstandard protocols and ports to send data off-campus. Higher education IT managers should take a lesson from their enterprise colleagues: simply start blocking nonstandard protocols, uncommon protocols and protocol anomalies on standard ports (such as running HTTPS over the Domain Name System (DNS) port).

These kinds of blocks have all been included in all enterprise firewalls for many years, so this is a simple configuration exercise. On server networks, this is an unremarkable configuration change. On user networks, NAC or identity-based networking can be used to provide exceptions to users who need them, which can be a big cultural change.

The last common approach by attackers seeking to exfiltrate data is using steganography: hiding the data in existing typical protocols, such as DNS, network time protocol or even the “ping” command. IT managers can get a handle on this by blocking or redirecting this type of traffic except to official campus servers. As with nonstandard protocols, users requesting exemptions can be handled by the segmentation and isolation framework in place.

Preventing data exfiltration is difficult at best, and nearly impossible in higher education environments. That said, network segmentation and isolation combined with intelligent use of firewalls, IPSs and DLP tools can reduce the risk of exfiltration while allowing for user exceptions.

LagartoFilm / Getty Images